04.DNSSEC

●設定

[root@ora12ee01 chroot]# cd /var/named/

[root@ora12ee01 named]# dnssec-keygen -r /dev/random -a RSASHA256 -b 1024 -n zone oradomain

Generating key pair..++++++ ...........................................++++++

Koradomain.+008+18606

[root@ora12ee01 named]# ll

合計 32

-rw-r--r-- 1 root root 427 1月 20 17:17 Koradomain.+008+18606.key

-rw------- 1 root root 1012 1月 20 17:17 Koradomain.+008+18606.private

[root@ora12ee01 named]# dnssec-keygen -r /dev/random -f KSK -a RSASHA256 -b 2048 -n zone oradomain

Generating key pair...........................................................................................................................+++ ............................................................................................+++

Koradomain.+008+05116

[root@ora12ee01 named]# ll

合計 40

-rw-r--r-- 1 root root 600 1月 20 17:23 Koradomain.+008+05116.key

-rw------- 1 root root 1776 1月 20 17:23 Koradomain.+008+05116.private

[root@ora12ee01 named]# vi oradomain.zone

[root@ora12ee01 named]# cat oradomain.zone

$ORIGIN oradomain.

$TTL 86400

$INCLUDE "Koradomain.+008+05116.key"

$INCLUDE "Koradomain.+008+18606.key"

@ IN SOA ns.oradomain. root.oradomain. (

2003031401 ; Serial

[root@ora12ee01 named]# dnssec-signzone -o oradomain oradomain.zone

Verifying the zone using the following algorithms: RSASHA256.

Zone fully signed:

Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked

ZSKs: 1 active, 0 stand-by, 0 revoked

oradomain.zone.signed

[root@ora12ee01 named]# ll

-rw-r--r-- 1 root root 443 1月 20 17:26 oradomain.zone

-rw-r--r-- 1 root root 5076 1月 20 17:27 oradomain.zone.signed

[root@ora12ee01 named]# cp -p /etc/named.conf /etc/named.conf.bk

[root@ora12ee01 named]# vi /etc/named.conf

[root@ora12ee01 named]# diff /etc/named.conf.bk /etc/named.conf

63c63

< file "oradomain.zone";

---

> file "oradomain.zone.signed";

[root@ora12ee01 named]# systemctl restart named-chroot.service

●2号機でテスト

[root@ora12ee02 ~]# dig www.oradomain

; <<>> DiG 9.9.4-RedHat-9.9.4-37.el7 <<>> www.oradomain

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4631

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 4096

;; QUESTION SECTION:

;www.oradomain. IN A

;; ANSWER SECTION:

www.oradomain. 86400 IN A 192.168.100.112

;; AUTHORITY SECTION:

oradomain. 86400 IN NS ns.oradomain.

;; ADDITIONAL SECTION:

ns.oradomain. 86400 IN A 192.168.100.111

;; Query time: 0 msec

;; SERVER: 192.168.100.111#53(192.168.100.111)

;; WHEN: 日 1月 20 17:35:43 JST 2019

;; MSG SIZE rcvd: 91